Iowa’s new data privacy law, which will come into force in 2025, adds to an increasingly complex patchwork of state laws.
On March 28, 2023, Iowa became the sixth US state to pass a comprehensive privacy law. The Iowa data privacy law (SF 262) (Iowa Privacy Law) was passed unanimously by the state House and Senate, and signed by Governor Kim Reynolds.
The Iowa Privacy Law imposes requirements similar to those already required by other state privacy laws—most notably, Utah. The key task for companies subject to the law will be to ensure that their existing measures cover personal data collected about Iowa residents, for example, by extending their privacy notices, contracts, and user rights mechanisms to include Iowa consumer personal data.
The Iowa Privacy Law will come into force on January 1, 2025. The law applies to companies that do business in Iowa or target products or services to Iowa consumers and, during a calendar year, either:
- control or process personal data of at least 100,000 Iowa consumers; or
- derive over 50% of gross revenue from the sale of personal data and control or process personal data of 25,000 or more Iowa consumers.
Comparison to Other State Privacy Laws
Similar to the other state privacy laws, the Iowa Privacy Law can apply to companies even if they have no physical presence in Iowa, and will be enforced by Iowa’s attorney general. Like the other state privacy laws (with the limited exception of California), the Iowa Privacy Law has no private cause of action.
Despite notable similarities with other state privacy laws, particularly the Utah Consumer Privacy Act, the Iowa Privacy Law bears important distinctions from other states.
- Obligations on “controllers”, “processors”, and “third parties”: Similar to the Utah Consumer Privacy Act, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, and the Connecticut Data Privacy Act, the Iowa Privacy Law imposes obligations on “controllers” and “processors” (similar obligations exist under the California Consumer Privacy Act, but with respect to “businesses,” and “service providers”).
- Data subject rights: Similar to the other state privacy laws, the Iowa Privacy Law offers individuals the right to access, deletion, portability, and opt out of the sale of their data.
- Sale: Notably, while California, Colorado, and Connecticut laws define “sale” to include “monetary or other valuable consideration,” the Iowa Privacy Law follows the more limited definition of “sale” under the Virginia and Utah laws, which includes only “monetary consideration.” Further, unlike the other state privacy laws but similar to Utah’s, Iowa’s law does not grant individuals the right to correct their data.
- Responding to rights requests: The Iowa Privacy Law gives controllers 90 days to initially respond to rights requests, unlike the initial 45 days granted by the other state privacy laws (including Utah). Controllers can extend the period by another 45 days for good cause.
- Treatment of sensitive data: Similar to Utah, the Iowa Privacy Law requires that businesses provide notice and the ability to opt out of the processing of sensitive personal data (rather than an opt in, as required by Virginia, Colorado, and Connecticut; or a right to limit use, as required by California).
- Privacy notices: Similar to the other state privacy laws, controllers under the Iowa Privacy Law must provide privacy notices to consumers with information on their processing activities.
- No “data minimization” and “secondary use” requirements: Similar to Utah, the Iowa Privacy Law does not require controllers to follow data minimization or secondary use principles, unless processing personal data for a limited set of specified purposes, such as preventing security incidents, cooperating with law enforcement, or conducting peer-reviewed research.
- Other data processing obligations: Controllers must enter into contracts with processors that contain certain required provisions. Data processors are also obligated to assist controllers with their duties under the law. Similar to Utah, but unlike the other state privacy laws, the Iowa Privacy Law does not require controllers to conduct data protection assessments.
- Right to cure: Controllers have 90 days to cure alleged violations of the Iowa Privacy Law before the state attorney general can bring an enforcement action, and this cure provision does not sunset. This cure period is significantly longer than the one provided in the other states, such as the 30-day period in Virginia and Utah.
The Iowa Privacy Law is also distinct from that of other states in its ambiguous treatment of targeted advertising. On the one hand, it does not include a right to opt out of targeted advertising in the list of consumer rights (in Section 715D.3). On the other hand, the law defines “targeted advertising” and states in Section 715D.4 that controllers must “clearly and conspicuously disclose” any sale and targeting advertising activities, “as well as the manner in which a consumer may exercise the right to opt out of such activity.”
These contrasting provisions will likely be a source of confusion, and businesses that already offer the ability to opt out of targeted advertising in the other states may choose to play it safe and extend that opt-out right to Iowa consumers.
The Iowa Privacy Law adds to the patchwork of US state comprehensive privacy law requirements that companies must comply with, and businesses will need to make updates to cover Iowa in their privacy notices, contracts, and user rights mechanisms. Though there are many similarities to the five other laws, passage of the Iowa Privacy Law underscores the need for companies to closely review and consider the differences across the now six comprehensive US state privacy laws. With over 15 other states currently considering similar comprehensive privacy statutes, the US privacy environment is likely to continue to grow in complexity.